From enumeration to privilege escalation

Our permissions have been enumerated, so now we will move into trying to use those permissions for privilege escalation in the environment. There is also a Pacu module for this called iam_privesc_scan. This module will run and check the set of permissions that you enumerated to see if your user is vulnerable to any methods out of 21 different known privilege escalation methods in AWS.

Rhino Security Labs wrote an article that details these 21 different privilege escalation methods and how they can be manually exploited, which you can refer to here: https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/.

After the module checks to see if we are vulnerable to any of those methods, it will then try to exploit them to do the privilege escalation for us, which makes our job easy. If you are interested in reading more about the privilege escalation module, you can use the help command to do so:

help iam__privesc_scan

As you can see, this module can also be run against other users and roles in the account to determine whether they are vulnerable to privilege escalation as well, but for the time being we are only going to target our own user.

We have already enumerated our permissions, so we can go ahead and run just the privilege escalation module without any arguments:

run iam__privesc_scan

The module will execute, search your permissions to see if you are vulnerable to any of the escalation methods it checks for, and then it will try to exploit them. In the case of our Test user, it should detect that we are vulnerable to the PutUserPolicy privilege escalation method. It will then try to abuse that permission to put (essentially attach) a new inline policy on our user. We are in control of the policy that we attach to our user, so we can specify an administrator level IAM policy and attach it to our user, where we will then be given administrator access. The module will do this automatically by adding the following policy document to our user:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
        { 
            "Effect": "Allow", 
            "Action": "*", 
            "Resource": "*" 
        } 
    ] 
}

The following screenshot shows output that should be similar to what you see when you run the privilege escalation module:

In the preceding screenshot, we can see the line Successfully added an inline policy named jea70c72mk! You should not have administrator permissions. This sounds good, but let's confirm this just to be sure.

We can confirm this in a few different ways; one is to run the iam__enum_permissions module again and then view the Permissions field. It should include a new permission that is just a star (*), which is a wildcard that says all permissions. That means we have administrator access to the environment!

If we view our user in the AWS web console, we will see that we have a new policy named jea70c72mk attached to our user, and when we click on the arrow next to it to drop-down the document, we can see the administrator policy placed inside it:

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.29.145